windbg 常用命令~*

32bit和64bit切换：!wow64exts.sw

查看进程运行的时间：vertarget

查看依赖的动态库(包含dll的路径)：lmf

查看pdb文件：lm

查看所有的线程堆栈：~*kbn

切换线程：~20s

切换线程上的栈信息：.frame x （x代表的堆栈）

输出信息到日志：.logopen c:text.log &&.logclose

自动分析：！analyze -v

查看所有线程的优先级：~* (Priority)

显示锁信息：!lcoks

列出CriticalSection的详细信息：!cs

保存dmp信息：.dump /ma C:\dumps\myapp.dmp

查看某个handle的具体信息：!handle xxx f

设置远程symbol位置：SRV*D:\SymbolLocal*http://msdl.microsoft.com/download/symbols

重新加载所有的符号表：.reload /f

每个线程消费的时间：!runaway   0x1（0x1代表的是线程消耗的用户模式时间，0x2代表消耗的内核时间,0x4每个线程从插件经历了多少时间）

显示当前作用域的所有局部变量的名字和值：dv

查看内存地址上的数据：db xxx (字节值和ASCII字符)

!heap相关介绍：

OptionEffect

-v

Causes the debugger to validate the specified heap.

-a

Causes the display to include all information for the specifiedheap. Size, in this case, is rounded up to theheap granularity. (Running!heap with the-a option is equivalent to running it with the three options-h -f -m, which can take a long time.)

-h

Causes the display to include all entries for the specifiedheap.

-f

Causes the display to include all the free list entries for the specifiedheap.

-m

Causes the display to include all the segment entries for the specifiedheap.

-t

Causes the display to include the tag information for the specifiedheap.

-T

Causes the display to include the pseudo-tag entries for the specifiedheap.

-g

Causes the display to include the global tag information. Global tags are associated with each untagged allocation.

-s

Causes the display to include summary information for the specifiedheap.

-k

(x86-based targets only) Causes the display to include the stack backtrace associated with each entry.

!heap -s 查看地址上的堆信息

!heap -stat -h 04920000 去观察这段内存(04920000)的详细情况,可以看到这地址上的内存分布

!heap -flt s 4 去查进程中size=4的所有内存

!heap -p -a 0365e8f0查看堆上的调用堆栈

u 相关介绍

如果要反汇编某一个地址，直接用u命令加地址，如果存在符号文件，也可以这样直接加函数名。

ub 指示要反汇编的区域是向后计算的，如果使用了ubAddress ，反汇编区域是以Address结束的8或9条指令。如果用ubAddressLLength语法指定区域，则反汇编以Address结尾的指定长度的内容。  

uf 命令显示内存中指定函数的反汇编代码。